copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Secu... » ASB-2009.1092 - [Win][Linux][Solaris][AIX] IBM Websp...
 

ASB-2009.1092 - [Win][Linux][Solaris][AIX] IBM Websphere Application Server: Multiple vulnerabilities
Date: 23 September 2009
References: ESB-2009.1658  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2009.1092
Multiple vulnerabilities corrected in IBM Websphere Application Server 6.1
                             23 September 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              IBM Websphere Application Server
Operating System:     Windows
                      Linux variants
                      Solaris
                      AIX
Impact/Access:        Cross-site Scripting     -- Remote/Unauthenticated
                      Access Confidential Data -- Existing Account      
                      Denial of Service        -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2009-2744 CVE-2009-2743 CVE-2009-2742
Member content until: Friday, October 23 2009

OVERVIEW

        Fix Pack 27 has been released for IBM Websphere 6.1 correcting 
        multiple security vulnerabilities.


IMPACT

        The IBM ISS X-Force team have provided the following information 
        regarding these vulnerabilities:
        
        "IBM WebSphere Application Server is vulnerable to cross-site 
        scripting, caused by improper validation of user-supplied input in 
        Eclipse Help. A remote attacker could exploit this vulnerability 
        using a specially-crafted URL to execute script in a victim's Web 
        browser within the security context of the hosting Web site, once 
        the URL is clicked. An attacker could use this vulnerability to 
        steal the victim's cookie-based authentication credentials." [1]
        
        "IBM WebSphere Application Server could allow a local attacker to 
        obtain sensitive information, caused by an error when a certain 
        exception occurs after using the wsadmin scripts and configuring 
        the JAAS-J2C Authentication Data. By viewing the FFDC log file, an 
        attacker could exploit this vulnerability to obtain sensitive 
        information." [2]
        
        "An unspecified vulnerability in IBM WebSphere Application Server 
        related to an error in fixpacks 6.1.0.23 and 6.1.0.25 could allow a 
        remote attacker to cause a denial of service using unknown attack 
        vectors." [3]


MITIGATION

        The vendor recommends applying the latest Fix Pack for IBM Websphere 
        Application Server [4].


REFERENCES

        [1] IBM WebSphere Application Server Eclipse Help cross-site scripting
            http://xforce.iss.net/xforce/xfdb/53342

        [2] IBM WebSphere Application Server wsadmin JAAS-J2C information
            disclosure
            http://xforce.iss.net/xforce/xfdb/53343

        [3] IBM WebSphere Application Server unspecified denial of service
            http://xforce.iss.net/xforce/xfdb/53344

        [4] Recommended fixes for WebSphere Application Server
            http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27004980#ver61

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFKuZX6NVH5XJJInbgRAuXDAJ4rX+O6+TS43q3sDHkVWhZlBjMbmgCfToby
4vGkIgM4dseda3nRQfidiRU=
=z8BA
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=10415&it=11683